Are you giving away your login details for all your accounts?

Woah there! You’ve found yourself on an old article. Take note of the date before reading.

Ok I acknowledge that I’m no security expert and this probably isn’t a major security risk, but do you recognize this scenario?

You’re on some two-bit website trying to log in. Maybe its a royalty free photo bank, maybe a discussion board, or some random online game.You’re in a hurry, not thinking too hard, and suddenly find you’ve tapped in the username and password for your email account, or – even worse – your work VPN. It comes up as “incorrect username / password” so then you go on to try another likely candidate – and then another again. By the end of it you’ve hammered in pretty much every username and password you’ve used in the last 10 years.

Have you ever considered the possibility that this site is storing all the rejected username and passwords? They may be storing them with or without nefarious purposes, but either way, it’s a genuine possibility. It seems reasonably possible that if you were a nasty person, this kind of list would be useful for a dictionary attack. I’d love to be enlightened by an expert on this stuff.

Password security seems to be primarily a human problem… I’m no expert but I’m really intrigued to readmoreaboutthis…

2 comments

Sam

February 27, 2007

For the programmers of these websites, it takes one simple line of code to store your password in plain text or have it emailed somewhere.

Furthermore, unless the website is using SSL, your password is being sent in plain text anyway, and can be easily sniffed on the local network, and even on the open internet.

I have designed login portals where users’ passwords were stored or sent to me in plain text for debugging purposes, but that code was removed (not just commented out) on production systems.

This ultimately comes down to trusting other Humans.

The internet is an inherently insecure place, just as the world is inherantly dirty and diseased. However, this doesn’t prevent you from going out in public, using the restroom, and eating in public restaurants. We just trust in a general societal set of best practices. We wash our hands, we clean our bathrooms and kitchens. We trust that other people will be good enough to protect us.

Having a website which stores bad passwords is the equivalent of having someone who purposefully sneezes on your burger, then laughs as he watches you eat it.

Garrett

April 16, 2007

I had the same attitude as Sam regarding internet security until a couple of weeks ago when I saw a news program discussing a different twist on this same theme. An international ring of hackers had planted software on some hotel computers available for public use. This software recorded every keystroke made on these computers. Apparently lots of people check bank accounts online while out of town. They were wiping out the life savings of unsuspecting victims. Some of the larger banks were reimbursing their clients but a couple of credit unions and banks issued statements that they would not reimburse since this was due to the customerâ€™s negligence.

When I heard this story, I was preparing to go out of town. My laptop was making the trip of course, and this story made me feel a lot less secure about signing into the hotelâ€™s network, even with my own computer. I read and re-read the terms and legalities before accepting them when I signed in (something I usually quickly run through). I didnâ€™t dare sign into any bank accounts. While I know that the internet mimics the world we live in, it takes on a whole new meaning when you become a little too relaxed and make careless mistakes that could cost you everything!! We should never stop asking â€œwhat ifâ€ and take the same precautions with the computer that we take in other areas of our lives to keep ourselves safe.